Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Start with Investigation in Splunk Phantom

Use the Splunk Phantom Investigation page as the starting point to understand, investigate, and act on events. Investigation provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.

The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.

You can use Splunk Phantom to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Phantom Automation Engine, allowing you to launch actions and playbooks as part of a task.

Set your view in Investigation

Analyst and summary views enable different personas to quickly view information and perform actions. Toggle quickly between the summary and analyst views by clicking the Summary or Analyst view buttons in an event or case.

  • The Summary view presents mostly non-actionable information about an event or case. This information is useful for individuals such as managers or executives who want to be able to view the status of an event or case without having to view the actionable items.
  • The Analyst view contains the same information as the summary view along with all options to perform actions on the event or case, such as run a playbook, add and edit a workbook, or view and add artifacts.

HUD cards

The collapsible heads up display (HUD) helps you track important metrics and information. Splunk Phantom administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.

The following HUD card types are available:

  • Preset Metrics
  • Custom Fields
  • Manual

Preset Metrics and Custom Fields cards are defined by a Splunk Phantom administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case.

Add a card to the HUD

Perform the following steps to add a card to the HUD:

  1. From the Phantom main menu, select either Cases or Sources > My Events.
  2. Select an event or case.
  3. Expand the HUD menu Image of the icon that expands the HUD menu..
  4. Click the gear icon to open the Configure HUD modal.
  5. Click + HUD Card.
  6. Choose a HUD card type.
  7. Configure the available card options. The following table describes the manual card options:
    Setting Description
    Type Text creates an input field where you can add a small amount of text.

    Select creates a card with a dropdown list of options.

    Message The name of the HUD card.
    Color The display color of the HUD card.
  8. Click Save.

To display HUD information from earlier versions of Splunk Phantom, set HUD TABLE DATA to ON.

Last modified on 19 October, 2020
Log in and navigate Splunk Phantom   Manage the status, severity, and resolution of events in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters